US6981280B2 - Intelligent network scanning system and method - Google Patents

Intelligent network scanning system and method Download PDF

Info

Publication number
US6981280B2
US6981280B2 US09/895,499 US89549901A US6981280B2 US 6981280 B2 US6981280 B2 US 6981280B2 US 89549901 A US89549901 A US 89549901A US 6981280 B2 US6981280 B2 US 6981280B2
Authority
US
United States
Prior art keywords
network element
data
scanning
load
scanned
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Lifetime, expires
Application number
US09/895,499
Other versions
US20030009690A1 (en
Inventor
Robert R. Grupe
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
JPMorgan Chase Bank NA
Morgan Stanley Senior Funding Inc
Original Assignee
McAfee LLC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by McAfee LLC filed Critical McAfee LLC
Priority to US09/895,499 priority Critical patent/US6981280B2/en
Assigned to NETWORKS ASSOCIATES TECHNOLOGY, INC. reassignment NETWORKS ASSOCIATES TECHNOLOGY, INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: GRUPE, ROBERT R.
Priority to EP02749553A priority patent/EP1402370A1/en
Priority to PCT/US2002/017760 priority patent/WO2003003214A1/en
Publication of US20030009690A1 publication Critical patent/US20030009690A1/en
Assigned to MCAFEE, INC. reassignment MCAFEE, INC. MERGER (SEE DOCUMENT FOR DETAILS). Assignors: NETWORKS ASSOCIATES TECHNOLOGY, INC.
Priority to US11/232,812 priority patent/US7152241B2/en
Application granted granted Critical
Publication of US6981280B2 publication Critical patent/US6981280B2/en
Assigned to MCAFEE, LLC reassignment MCAFEE, LLC CHANGE OF NAME AND ENTITY CONVERSION Assignors: MCAFEE, INC.
Assigned to JPMORGAN CHASE BANK, N.A. reassignment JPMORGAN CHASE BANK, N.A. SECURITY INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: MCAFEE, LLC
Assigned to MORGAN STANLEY SENIOR FUNDING, INC. reassignment MORGAN STANLEY SENIOR FUNDING, INC. SECURITY INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: MCAFEE, LLC
Assigned to JPMORGAN CHASE BANK, N.A. reassignment JPMORGAN CHASE BANK, N.A. CORRECTIVE ASSIGNMENT TO CORRECT THE REMOVE PATENT 6336186 PREVIOUSLY RECORDED ON REEL 045055 FRAME 786. ASSIGNOR(S) HEREBY CONFIRMS THE SECURITY INTEREST. Assignors: MCAFEE, LLC
Assigned to MORGAN STANLEY SENIOR FUNDING, INC. reassignment MORGAN STANLEY SENIOR FUNDING, INC. CORRECTIVE ASSIGNMENT TO CORRECT THE REMOVE PATENT 6336186 PREVIOUSLY RECORDED ON REEL 045056 FRAME 0676. ASSIGNOR(S) HEREBY CONFIRMS THE SECURITY INTEREST. Assignors: MCAFEE, LLC
Assigned to MCAFEE, LLC reassignment MCAFEE, LLC RELEASE OF INTELLECTUAL PROPERTY COLLATERAL - REEL/FRAME 045055/0786 Assignors: JPMORGAN CHASE BANK, N.A., AS COLLATERAL AGENT
Assigned to MCAFEE, LLC reassignment MCAFEE, LLC RELEASE OF INTELLECTUAL PROPERTY COLLATERAL - REEL/FRAME 045056/0676 Assignors: MORGAN STANLEY SENIOR FUNDING, INC., AS COLLATERAL AGENT
Assigned to JPMORGAN CHASE BANK, N.A., AS ADMINISTRATIVE AGENT AND COLLATERAL AGENT reassignment JPMORGAN CHASE BANK, N.A., AS ADMINISTRATIVE AGENT AND COLLATERAL AGENT SECURITY INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: MCAFEE, LLC
Assigned to JPMORGAN CHASE BANK, N.A., AS ADMINISTRATIVE AGENT reassignment JPMORGAN CHASE BANK, N.A., AS ADMINISTRATIVE AGENT CORRECTIVE ASSIGNMENT TO CORRECT THE THE PATENT TITLES AND REMOVE DUPLICATES IN THE SCHEDULE PREVIOUSLY RECORDED AT REEL: 059354 FRAME: 0335. ASSIGNOR(S) HEREBY CONFIRMS THE ASSIGNMENT. Assignors: MCAFEE, LLC
Adjusted expiration legal-status Critical
Expired - Lifetime legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/11Identifying congestion
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Definitions

  • the present invention relates to scanning methods, and more particularly to intelligent scanning methods.
  • Network security management is becoming a more difficult problem as networks grow in size and become a more integral part of organizational operations. Attacks on networks are growing both due to the intellectual challenge such attacks represent for hackers and due to the increasing payoff for the serious attacker. Furthermore, the attacks are growing beyond the current capability of security management tools to identify and quickly respond to those attacks. As various attack methods are tried and ultimately repulsed, the attackers will attempt new approaches with more subtle attack features. Thus, maintaining network security is an on-going, ever changing, and increasingly complex problem.
  • Computer network attacks can take many forms and any one attack may include many security events of different types.
  • Security events are anomalous network conditions each of which may cause an anti-security effect to a computer network.
  • Security events include stealing confidential or private information; producing network damage through mechanisms such as viruses, worms, or Trojan horses; overwhelming the network's capability in order to cause denial of service, and so forth.
  • Security systems often employ security risk-assessment tools, i.e. “scanners,” to simulate an attack against computer systems via a remote connection.
  • scanners can probe for network weaknesses by simulating certain types of security events that make up an attack.
  • Such tools can also test user passwords for suitability and security.
  • scanners can search for known types of security events in the form of malicious programs such as viruses, worms, and Trojan horses.
  • scanners are used for content filtering to enforce an organization's operational policies [i.e. detecting harassing or pornographic content, junk e-mails, misinformation (virus hoaxes), etc.].
  • gateway scanning often involves a balance between providing timely access to the data stream by an end user, and providing a thorough scan of the incoming data. So long as there is not much data passing through the gateway, comprehensive scanning can be accomplished without interrupting timely user access to the data. However, if the gateway is extremely busy checking for many different potential threats, the data access may be unacceptably constricted. There is thus a need for optimally balancing timely access to the data stream by an end user, and providing a thorough scan of the incoming data in a gateway environment.
  • a system, method and computer program product are provided for scanning data. Initially, data is received at a network element. Thereafter, a load on the network element is identified. The data is then conditionally scanned at the network element based on the load on the network element.
  • the network element may include a gateway.
  • the load may include a backlog of data to be scanned at the network element.
  • an amount of scanning completed at the network element may be a function of the load on the network element.
  • the data may be partially scanned at the network element if the load on the network element is greater than a predetermined amount. If, however, the load on the network element is less than the predetermined amount, the data may be completely scanned at the network element.
  • a status of the scanning at the network element may be stored in memory.
  • an additional network element i.e. a server, may conditionally scan the data based on the status.
  • Another system, method and computer program product are provided for scanning data. After the receipt of data at a network element, it is determined as to whether there is a request for the data. The data may then be conditionally scanned at the network element based on whether there is a request for the data. The data is subsequently transmitted in response to the request.
  • the network element may include a server. Further, the request for the data may be received from a user device.
  • the data may be partially scanned at the network element if it is determined that there is a request for the data. If it is determined that there is not a request for the data, the data may be completely scanned at the network element.
  • Still another system, method and computer program product are provided for scanning data. Upon the receipt of data at a network element, an extent to which the data was previously scanned by another network element is determined. The data is then conditionally scanned at the network element based on the extent to which the data was previously scanned by another network element.
  • the network element may include a user device. Further, an amount of scanning completed at the network element may be a function of the extent to which the data was previously scanned by another network element. In particular, an amount of scanning completed at the network element may be sufficient to complete an entirety of the scanning.
  • the extent to which the data was previously scanned by another network element is identified in a log accessible by the network element.
  • FIG. 1 illustrates a network architecture, in accordance with one embodiment.
  • FIG. 2 shows a representative hardware environment that may be associated with the data servers and user devices of FIG. 1 , in accordance with one embodiment.
  • FIG. 3 illustrates a method for scanning data, in accordance with one embodiment.
  • FIG. 4 illustrates another method for scanning data, in accordance with one embodiment.
  • FIG. 5 illustrates yet another method for scanning data, in accordance with one embodiment.
  • FIG. 6 illustrates an exemplary method combining the various principles set forth hereinabove into a single system.
  • FIG. 1 illustrates a network architecture 100 , in accordance with one embodiment.
  • a plurality of remote networks 102 are provided including a first remote network 104 and a second remote network 106 .
  • at least one gateway 107 coupled between the remote networks 102 and a plurality of proximate networks 108 .
  • proximate networks 108 include a first proximate network 110 and a second proximate network 112 .
  • the networks 104 , 106 , 110 and 112 may each take any form including, but not limited to a local area network (LAN), a wide area network (WAN) such as the Internet, etc.
  • LAN local area network
  • WAN wide area network
  • the gateway 107 serves as an entrance point from the remote networks 102 to the proximate networks 108 .
  • the gateway 107 may function as a router, which is capable of directing a given packet of data that arrives at the gateway 107 , and a switch, which furnishes the actual path in and out of the gateway 107 for a given packet.
  • At least one data server 114 coupled to the proximate networks 108 , and which are accessible from the remote networks 102 via the gateway 107 .
  • the data servers 114 may include any type of computing device/groupware. Coupled to the data servers 114 is a plurality of user devices 116 .
  • Such user devices 116 may include a desktop computer, lap-top computer, hand-held computer, printer or any other type of logic. It should be noted that the user devices 116 may also be directly coupled to the networks, in one embodiment.
  • a gateway scanner 118 is coupled to each gateway 107
  • a data server scanner 120 is coupled to each data server 114
  • an user device scanner 122 is coupled to each user device 116 .
  • additional scanners may be utilized with any type of network element coupled to the networks 104 , 106 , 110 and 112 .
  • a network element may refer to any component of a network.
  • each of the scanners is capable of executing a scanning procedure. Details regarding such scanning procedure will be set forth hereinafter in greater detail.
  • FIG. 2 shows a representative hardware environment that may be associated with the data servers 114 and user devices 116 of FIG. 1 , in accordance with one embodiment.
  • Such figure illustrates a typical hardware configuration of a workstation in accordance with a preferred embodiment having a central processing unit 210 , such as a microprocessor, and a number of other units interconnected via a system bus 212 .
  • a central processing unit 210 such as a microprocessor
  • the workstation shown in FIG. 2 includes a Random Access Memory (RAM) 214 , Read Only Memory (ROM) 216 , an I/O adapter 218 for connecting peripheral devices such as disk storage units 220 to the bus 212 , a user interface adapter 222 for connecting a keyboard 224 , a mouse 226 , a speaker 228 , a microphone 232 , and/or other user interface devices such as a touch screen and a digital camera (not shown) to the bus 212 , communication adapter 234 for connecting the workstation to a communication network 235 (e.g., a data processing network) and a display adapter 236 for connecting the bus 212 to a display device 238 .
  • a communication network 235 e.g., a data processing network
  • display adapter 236 for connecting the bus 212 to a display device 238 .
  • the workstation may have resident thereon an operating system such as the MICROSOFT WINDOWS NT or WINDOWS/95 Operating System (OS), the IBM OS/2 operating system, the MAC OS, or UNIX operating system. It will be appreciated that a preferred embodiment may also be implemented on platforms and operating systems other than those mentioned.
  • a preferred embodiment may be written using JAVA, C, and/or C++ language, or other programming languages, along with an object oriented programming methodology.
  • Object oriented programming (OOP) has become increasingly used to develop complex applications.
  • FIG. 3 illustrates a method 300 for scanning data, in accordance with one embodiment.
  • the method 300 may be executed by the gateway scanner 118 coupled to the gateway 107 of FIG. 1 . It should be noted, however, that the method 300 may be executed by any of the scanners 118 , 120 and/or 122 of FIG. 1 , or by a scanner associated with any desired network element.
  • the load may include a backlog of data to be scanned at the network element.
  • Such backlog may be identified by determining an amount, i.e. MB, of data to be scanned.
  • the amount may refer to a data flow rate.
  • the load may be caused by general network traffic, resource shortages, bandwidth restrictions, etc.
  • decision 304 it is determined whether the load meets predetermined criteria. In one embodiment, it may be determined whether the load is greater than a predetermined amount. Such predetermined amount may be selected to ensure optimal operation of the network element.
  • the data may be completely scanned in its entirety at the network element. See operation 306 .
  • the data may only be partially scanned, or not scanned at all, at the network element if the load is greater than the predetermined amount. Note operation 308 .
  • an amount of scanning completed at the network element may be a function of the load on the network element.
  • the data may be conditionally scanned at the network element based on the load on the network element in any desired manner.
  • the partial and complete scans may each include any type of scan and differ in any desired manner as long as the partial scan takes less time to execute with respect to the complete scan.
  • a partial scan may simply be a subset of the full collection of such scanning modules. Moreover, the selection of the subset may be specifically tailored to the particular network element, environment, etc. and the specific vulnerabilities thereof. In the context of the present description, a partial scan may also refer to a complete scan of only a portion of the data queued to be scanned.
  • a status of the scanning at the network element may be stored in memory.
  • an additional network element i.e. a server, may conditionally scan the data based on the status in a manner that will be set forth in greater detail during reference to FIG. 6 .
  • memory may take the form of a database, centralized reference information repository, an indexed flat file, a holographic storage system, or any memory capable of storing information.
  • FIG. 4 illustrates another method 400 for scanning data.
  • the method 400 may be executed by the data server scanner 120 coupled to each data server 114 of FIG. 1 . It should be noted, however, that the method 400 may be executed by any of the scanners 118 , 120 and/or 122 of FIG. 1 , or by a scanner associated with any desired network element.
  • data is received at a network element in operation 402 .
  • it is determined as to whether there is a request for the data from another network element in operation 404 .
  • the request for the data may be received from one of the user devices 116 .
  • the data may then be conditionally scanned at the network element based on whether there is a request for the data from another network element. In particular, if it is determined in decision 405 that a request has been made for the data, the data may only be partially scanned at the network element. See operation 410 . As an option, an amount of scanning completed at the network element may be a function of a load on the network element. Once partially scanned, the data may be transmitted to the requesting network element in operation 412 .
  • a complete scan may be executed in operation 406 . Once the complete scan is executed, the present method 400 may poll until a request is received in decision 408 . Once the request received, the data may be transmitted to the requesting network element in operation 412 .
  • a status of the scanning at the network element may be stored in memory.
  • an additional network element i.e. an user device, may conditionally scan the data based on the status in a manner that will be set forth in greater detail during reference to FIG. 6 .
  • FIG. 5 illustrates yet another method 500 for scanning data, in accordance with one embodiment.
  • the method 500 may be executed by the user device scanners 122 coupled to the user devices 116 of FIG. 1 . It should be noted, however, that the method 500 may be executed by any of the scanners 118 , 120 and/or 122 of FIG. 1 , or by a scanner associated with any desired network element.
  • an extent to which the data was previously scanned by another network element is determined. See operation 504 .
  • the data is then conditionally scanned at the network element based on the extent to which the data was previously scanned by another network element, as indicated in operation 506 .
  • an amount of scanning completed at the network element may be a function of the extent to which the data was previously scanned by another network element.
  • an amount of scanning completed at the network element may be sufficient to complete an entirety of the scanning.
  • scans often take the form of multiple scanning modules each adapted to detect different types of vulnerabilities, viruses, etc.
  • the current scan of operation 506 may thus include any remaining subset of the full collection of such scanning modules.
  • the extent to which the data was previously scanned by another network element is identified in a memory log accessible by the network element. Further, a status of the scanning at the present network element after operation 506 may be stored in such log. As such, still yet another additional network element may conditionally scan the data based on the status in a manner that will be set forth in greater detail during reference to FIG. 6 .
  • FIG. 6 illustrates an exemplary method 600 combining the various principles set forth hereinabove into a single system.
  • data is received from one of the remote networks 102 at the gateway 107 coupled between the remote network 102 and at least one of the data servers 114 . It is initially determined in decision 604 whether a backlog of data to be scanned in the gateway scanner 118 exists.
  • the backlog is greater than a predetermined amount, a partial scan is performed utilizing the gateway scanner 118 at the gateway 107 . See operation 606 . If, on the other hand, the backlog is less than the predetermined amount, an entirety of the data is scanned utilizing the gateway scanner 118 at the gateway 107 . Note operation 608 .
  • a first status as to the scanning performed utilizing the gateway scanner 118 is stored in a database 612 coupled to the gateway scanner 118 .
  • Note operation 610 Such database 612 may be coupled to the gateway scanner 118 via one of the networks 102 and 108 , reside at the gateway 107 , or in any desired location. More information regarding such process may be found by reference to FIG. 3 .
  • the data is passed from the gateway scanner 118 to the data server 114 coupled thereto.
  • the data server scanner 120 of the data server 114 the first status stored in operation 610 is read from the database 612 utilizing the data server scanner 120 at the data server 114 . Note operation 614 .
  • a second status of the scanning performed utilizing the data server scanner 120 is then stored in the database 612 which is coupled thereto. Note operation 622 . It should be noted that the second status may be simply an update to the first status, a stand-alone status record, or any desired information for tracking the current status of the scanning. In use, the data is transmitted to the user device 116 in response to the request. More information regarding such process may be found by reference to FIG. 4 .
  • the second status is read from the database 612 utilizing the user device scanner 122 at the user device 116 . See operation 624 . As such, it may be determined whether the scanning of the data is complete based on the first status and the second status. If it is determined that the scanning of the data is complete in decision 626 , the data is simply used at the user device 116 . See operation 627 . If it is determined that the scanning of the data is not complete in decision 626 , the scanning of the data is completed utilizing the user device scanner 122 at the user device 116 . Note operation 628 .
  • a third status is stored in the database 612 for indicating that the scanning is complete.
  • other network elements may selectively scan the data based on the status. More information regarding such process may be found by reference to FIG. 5 .
  • the user device scanners 122 of the user devices 116 may utilize the functionality of FIGS. 3 and 4 in response to load conditions and requests made by other network elements, respectively.
  • the gateway scanner 118 of the gateway 107 may employ the techniques of FIG. 5 prior to transmitting data to the remote networks 102 .
  • any of the network elements may employ any of the desired functionality set forth hereinabove.
  • the various techniques disclosed herein thus provide the ability to intelligently vary the amount of scanning based upon available computing resources and content bandwidth requirements, to identify data that has been partially checked and identify the data integrity status with other applications through the use of the database, and to defer lower priority scanning tasks to another time, and or delegate scanning tasks to other available networked scanning computers if adequately prioritized analysis resources are not available.

Abstract

A system, method and computer program product are provided for scanning data. Initially, data is received at a network element. Thereafter, a load on the network element is identified. The data is then conditionally scanned at the network element based on the load on the network element. Another system, method and computer program product are provided for scanning data. After the receipt of data at a network element, it is determined as to whether there is a request for the data. The data may then be conditionally scanned at the network element based on whether there is a request for the data. The data is subsequently transmitted in response to the request. Still another system, method and computer program product are provided for scanning data. Upon the receipt of data at a network element, an extent to which the data was previously scanned by another network element is determined. The data is then conditionally scanned at the network element based on the extent to which the data was previously scanned by another network element.

Description

FIELD OF THE INVENTION
The present invention relates to scanning methods, and more particularly to intelligent scanning methods.
BACKGROUND OF THE INVENTION
Network security management is becoming a more difficult problem as networks grow in size and become a more integral part of organizational operations. Attacks on networks are growing both due to the intellectual challenge such attacks represent for hackers and due to the increasing payoff for the serious attacker. Furthermore, the attacks are growing beyond the current capability of security management tools to identify and quickly respond to those attacks. As various attack methods are tried and ultimately repulsed, the attackers will attempt new approaches with more subtle attack features. Thus, maintaining network security is an on-going, ever changing, and increasingly complex problem.
Computer network attacks can take many forms and any one attack may include many security events of different types. Security events are anomalous network conditions each of which may cause an anti-security effect to a computer network. Security events include stealing confidential or private information; producing network damage through mechanisms such as viruses, worms, or Trojan horses; overwhelming the network's capability in order to cause denial of service, and so forth.
Security systems often employ security risk-assessment tools, i.e. “scanners,” to simulate an attack against computer systems via a remote connection. Such scanners can probe for network weaknesses by simulating certain types of security events that make up an attack. Such tools can also test user passwords for suitability and security. Moreover, scanners can search for known types of security events in the form of malicious programs such as viruses, worms, and Trojan horses. Further, scanners are used for content filtering to enforce an organization's operational policies [i.e. detecting harassing or pornographic content, junk e-mails, misinformation (virus hoaxes), etc.].
In most security systems, data often gets scanned multiple times as it is transmitted through various network elements. For data entering from external networks, there is usually some security scanning that first takes place at a network gateway. Then, the data is scanned again when it is saved to a server after which it is scanned once again by an end user workstation upon retrieval. This redundant scanning results in unnecessary, duplication of computing workload resources. Organizations must purchase equipment that can handle all such additional information processing in the form of more memory and additional processing capacity. There is thus a need for reducing the redundancy of scanning in security system scanning, and avoiding the need for additional resources.
Security systems often use gateway scanning to analyze data entering a network from other uncontrolled networks to detect possible attacks. Of course, this requires time and resources at the gateway. As such, gateway scanning often involves a balance between providing timely access to the data stream by an end user, and providing a thorough scan of the incoming data. So long as there is not much data passing through the gateway, comprehensive scanning can be accomplished without interrupting timely user access to the data. However, if the gateway is extremely busy checking for many different potential threats, the data access may be unacceptably constricted. There is thus a need for optimally balancing timely access to the data stream by an end user, and providing a thorough scan of the incoming data in a gateway environment.
Current security systems employ an “all or nothing” approach to scanning. When triggered either by an access or scheduled request, a specified scan must be executed completely (100%) irregardless of current computing resource availability. Some e-mail server scanning programs feature “trusted scanning.”Once an item has been scanned by one server, it may be flagged so subsequent e-mail servers can avoid re-scanning the item. Unfortunately, such e-mail server scanning programs require complete scans if one is required at all. There is thus a need for improving load balancing by exploiting partial scans as opposed to the complete scans of the prior art.
DISCLOSURE OF THE INVENTION
A system, method and computer program product are provided for scanning data. Initially, data is received at a network element. Thereafter, a load on the network element is identified. The data is then conditionally scanned at the network element based on the load on the network element.
In one aspect of the present embodiment, the network element may include a gateway. Further, the load may include a backlog of data to be scanned at the network element.
In another aspect of the present embodiment, an amount of scanning completed at the network element may be a function of the load on the network element. In particular, the data may be partially scanned at the network element if the load on the network element is greater than a predetermined amount. If, however, the load on the network element is less than the predetermined amount, the data may be completely scanned at the network element.
As an option, a status of the scanning at the network element may be stored in memory. As such, an additional network element, i.e. a server, may conditionally scan the data based on the status.
Another system, method and computer program product are provided for scanning data. After the receipt of data at a network element, it is determined as to whether there is a request for the data. The data may then be conditionally scanned at the network element based on whether there is a request for the data. The data is subsequently transmitted in response to the request.
In one aspect of the present embodiment, the network element may include a server. Further, the request for the data may be received from a user device.
In another aspect of the present embodiment, the data may be partially scanned at the network element if it is determined that there is a request for the data. If it is determined that there is not a request for the data, the data may be completely scanned at the network element.
Still another system, method and computer program product are provided for scanning data. Upon the receipt of data at a network element, an extent to which the data was previously scanned by another network element is determined. The data is then conditionally scanned at the network element based on the extent to which the data was previously scanned by another network element.
In one aspect of the present embodiment, the network element may include a user device. Further, an amount of scanning completed at the network element may be a function of the extent to which the data was previously scanned by another network element. In particular, an amount of scanning completed at the network element may be sufficient to complete an entirety of the scanning.
Optionally, the extent to which the data was previously scanned by another network element is identified in a log accessible by the network element.
BRIEF DESCRIPTION OF THE DRAWINGS
FIG. 1 illustrates a network architecture, in accordance with one embodiment.
FIG. 2 shows a representative hardware environment that may be associated with the data servers and user devices of FIG. 1, in accordance with one embodiment.
FIG. 3 illustrates a method for scanning data, in accordance with one embodiment.
FIG. 4 illustrates another method for scanning data, in accordance with one embodiment.
FIG. 5 illustrates yet another method for scanning data, in accordance with one embodiment.
FIG. 6 illustrates an exemplary method combining the various principles set forth hereinabove into a single system.
 DESCRIPTION OF THE PREFERRED EMBODIMENTS
FIG. 1 illustrates a network architecture 100, in accordance with one embodiment. As shown, a plurality of remote networks 102 are provided including a first remote network 104 and a second remote network 106. Also included is at least one gateway 107 coupled between the remote networks 102 and a plurality of proximate networks 108. Such proximate networks 108 include a first proximate network 110 and a second proximate network 112. In the context of the present network architecture 100, the networks 104, 106, 110 and 112 may each take any form including, but not limited to a local area network (LAN), a wide area network (WAN) such as the Internet, etc.
In use, the gateway 107 serves as an entrance point from the remote networks 102 to the proximate networks 108. As such, the gateway 107 may function as a router, which is capable of directing a given packet of data that arrives at the gateway 107, and a switch, which furnishes the actual path in and out of the gateway 107 for a given packet.
Further included is at least one data server 114 coupled to the proximate networks 108, and which are accessible from the remote networks 102 via the gateway 107. It should be noted that the data servers 114 may include any type of computing device/groupware. Coupled to the data servers 114 is a plurality of user devices 116. Such user devices 116 may include a desktop computer, lap-top computer, hand-held computer, printer or any other type of logic. It should be noted that the user devices 116 may also be directly coupled to the networks, in one embodiment.
Further provided is a plurality of scanners coupled to the various network elements of the network architecture 100. In particular, a gateway scanner 118 is coupled to each gateway 107, a data server scanner 120 is coupled to each data server 114, and an user device scanner 122 is coupled to each user device 116. It should be noted that additional scanners may be utilized with any type of network element coupled to the networks 104, 106, 110 and 112. In the context of the present description, a network element may refer to any component of a network. In use, each of the scanners is capable of executing a scanning procedure. Details regarding such scanning procedure will be set forth hereinafter in greater detail.
FIG. 2 shows a representative hardware environment that may be associated with the data servers 114 and user devices 116 of FIG. 1, in accordance with one embodiment. Such figure illustrates a typical hardware configuration of a workstation in accordance with a preferred embodiment having a central processing unit 210, such as a microprocessor, and a number of other units interconnected via a system bus 212.
The workstation shown in FIG. 2 includes a Random Access Memory (RAM) 214, Read Only Memory (ROM) 216, an I/O adapter 218 for connecting peripheral devices such as disk storage units 220 to the bus 212, a user interface adapter 222 for connecting a keyboard 224, a mouse 226, a speaker 228, a microphone 232, and/or other user interface devices such as a touch screen and a digital camera (not shown) to the bus 212, communication adapter 234 for connecting the workstation to a communication network 235 (e.g., a data processing network) and a display adapter 236 for connecting the bus 212 to a display device 238.
The workstation may have resident thereon an operating system such as the MICROSOFT WINDOWS NT or WINDOWS/95 Operating System (OS), the IBM OS/2 operating system, the MAC OS, or UNIX operating system. It will be appreciated that a preferred embodiment may also be implemented on platforms and operating systems other than those mentioned. A preferred embodiment may be written using JAVA, C, and/or C++ language, or other programming languages, along with an object oriented programming methodology. Object oriented programming (OOP) has become increasingly used to develop complex applications.
FIG. 3 illustrates a method 300 for scanning data, in accordance with one embodiment. Optionally, the method 300 may be executed by the gateway scanner 118 coupled to the gateway 107 of FIG. 1. It should be noted, however, that the method 300 may be executed by any of the scanners 118, 120 and/or 122 of FIG. 1, or by a scanner associated with any desired network element.
Initially, in operation 302, data is received at the network element. Thereafter, a load on the network element is identified. Note operation 303. As an option, the load may include a backlog of data to be scanned at the network element. Such backlog may be identified by determining an amount, i.e. MB, of data to be scanned. As an option, the amount may refer to a data flow rate. In the alternative, the load may be caused by general network traffic, resource shortages, bandwidth restrictions, etc.
Thereafter, in decision 304, it is determined whether the load meets predetermined criteria. In one embodiment, it may be determined whether the load is greater than a predetermined amount. Such predetermined amount may be selected to ensure optimal operation of the network element.
If the load is less than the predetermined amount, the data may be completely scanned in its entirety at the network element. See operation 306. On the other hand, the data may only be partially scanned, or not scanned at all, at the network element if the load is greater than the predetermined amount. Note operation 308. As an option, an amount of scanning completed at the network element may be a function of the load on the network element.
Of course, the data may be conditionally scanned at the network element based on the load on the network element in any desired manner. It should be noted that the partial and complete scans may each include any type of scan and differ in any desired manner as long as the partial scan takes less time to execute with respect to the complete scan.
For example, scans often take the form of multiple scanning modules each adapted to detect different types of vulnerabilities, banned content, viruses, etc. A partial scan may simply be a subset of the full collection of such scanning modules. Moreover, the selection of the subset may be specifically tailored to the particular network element, environment, etc. and the specific vulnerabilities thereof. In the context of the present description, a partial scan may also refer to a complete scan of only a portion of the data queued to be scanned.
As an option, a status of the scanning at the network element may be stored in memory. As such, an additional network element, i.e. a server, may conditionally scan the data based on the status in a manner that will be set forth in greater detail during reference to FIG. 6. It should be noted that such memory may take the form of a database, centralized reference information repository, an indexed flat file, a holographic storage system, or any memory capable of storing information.
FIG. 4 illustrates another method 400 for scanning data. In one embodiment, the method 400 may be executed by the data server scanner 120 coupled to each data server 114 of FIG. 1. It should be noted, however, that the method 400 may be executed by any of the scanners 118, 120 and/or 122 of FIG. 1, or by a scanner associated with any desired network element.
Initially, data is received at a network element in operation 402. After the receipt of data at the network element, it is determined as to whether there is a request for the data from another network element in operation 404. As an option, the request for the data may be received from one of the user devices 116.
The data may then be conditionally scanned at the network element based on whether there is a request for the data from another network element. In particular, if it is determined in decision 405 that a request has been made for the data, the data may only be partially scanned at the network element. See operation 410. As an option, an amount of scanning completed at the network element may be a function of a load on the network element. Once partially scanned, the data may be transmitted to the requesting network element in operation 412.
If, on the other hand, it is determined in decision 405 that no request is currently pending for the data, a complete scan may be executed in operation 406. Once the complete scan is executed, the present method 400 may poll until a request is received in decision 408. Once the request received, the data may be transmitted to the requesting network element in operation 412.
It should be noted that the partial and complete scans may each include any type of scan and differ in any desired manner as long as the partial scan takes less time to execute with respect to the complete scan.
Optionally, a status of the scanning at the network element may be stored in memory. As such, an additional network element, i.e. an user device, may conditionally scan the data based on the status in a manner that will be set forth in greater detail during reference to FIG. 6.
FIG. 5 illustrates yet another method 500 for scanning data, in accordance with one embodiment. As an option, the method 500 may be executed by the user device scanners 122 coupled to the user devices 116 of FIG. 1. It should be noted, however, that the method 500 may be executed by any of the scanners 118, 120 and/or 122 of FIG. 1, or by a scanner associated with any desired network element.
Upon the receipt of data at a network element in operation 502, an extent to which the data was previously scanned by another network element is determined. See operation 504.
The data is then conditionally scanned at the network element based on the extent to which the data was previously scanned by another network element, as indicated in operation 506. In particular, an amount of scanning completed at the network element may be a function of the extent to which the data was previously scanned by another network element.
For example, an amount of scanning completed at the network element may be sufficient to complete an entirety of the scanning. As mentioned earlier, scans often take the form of multiple scanning modules each adapted to detect different types of vulnerabilities, viruses, etc. The current scan of operation 506 may thus include any remaining subset of the full collection of such scanning modules.
Optionally, the extent to which the data was previously scanned by another network element is identified in a memory log accessible by the network element. Further, a status of the scanning at the present network element after operation 506 may be stored in such log. As such, still yet another additional network element may conditionally scan the data based on the status in a manner that will be set forth in greater detail during reference to FIG. 6.
FIG. 6 illustrates an exemplary method 600 combining the various principles set forth hereinabove into a single system. Initially, in operation 602, data is received from one of the remote networks 102 at the gateway 107 coupled between the remote network 102 and at least one of the data servers 114. It is initially determined in decision 604 whether a backlog of data to be scanned in the gateway scanner 118 exists.
If the backlog is greater than a predetermined amount, a partial scan is performed utilizing the gateway scanner 118 at the gateway 107. See operation 606. If, on the other hand, the backlog is less than the predetermined amount, an entirety of the data is scanned utilizing the gateway scanner 118 at the gateway 107. Note operation 608.
A first status as to the scanning performed utilizing the gateway scanner 118 is stored in a database 612 coupled to the gateway scanner 118. Note operation 610. Such database 612 may be coupled to the gateway scanner 118 via one of the networks 102 and 108, reside at the gateway 107, or in any desired location. More information regarding such process may be found by reference to FIG. 3.
Next, the data is passed from the gateway scanner 118 to the data server 114 coupled thereto. At the data server scanner 120 of the data server 114, the first status stored in operation 610 is read from the database 612 utilizing the data server scanner 120 at the data server 114. Note operation 614.
It is then determined in decision 616 whether there is a request for the data from at least one user device 116 coupled to the data server 114. If it is determined that there is a request for the data from the user device 116, a partial scan is executed. Note operation 618. It should be noted that the scanning may be ceased before a complete scan can be executed if the request is received during the scan. If, however, it is determined that there is not a request for the data from the user device 116, a complete scan is executed. See operation 620.
A second status of the scanning performed utilizing the data server scanner 120 is then stored in the database 612 which is coupled thereto. Note operation 622. It should be noted that the second status may be simply an update to the first status, a stand-alone status record, or any desired information for tracking the current status of the scanning. In use, the data is transmitted to the user device 116 in response to the request. More information regarding such process may be found by reference to FIG. 4.
At the user device 116, the second status is read from the database 612 utilizing the user device scanner 122 at the user device 116. See operation 624. As such, it may be determined whether the scanning of the data is complete based on the first status and the second status. If it is determined that the scanning of the data is complete in decision 626, the data is simply used at the user device 116. See operation 627. If it is determined that the scanning of the data is not complete in decision 626, the scanning of the data is completed utilizing the user device scanner 122 at the user device 116. Note operation 628.
Finally, in operation 630, a third status is stored in the database 612 for indicating that the scanning is complete. As such, other network elements may selectively scan the data based on the status. More information regarding such process may be found by reference to FIG. 5.
It should be noted that processes similar to those set forth hereinabove may be used with outgoing data. For example, the user device scanners 122 of the user devices 116 may utilize the functionality of FIGS. 3 and 4 in response to load conditions and requests made by other network elements, respectively. Moreover, the gateway scanner 118 of the gateway 107 may employ the techniques of FIG. 5 prior to transmitting data to the remote networks 102. Of course, any of the network elements may employ any of the desired functionality set forth hereinabove.
The various techniques disclosed herein thus provide the ability to intelligently vary the amount of scanning based upon available computing resources and content bandwidth requirements, to identify data that has been partially checked and identify the data integrity status with other applications through the use of the database, and to defer lower priority scanning tasks to another time, and or delegate scanning tasks to other available networked scanning computers if adequately prioritized analysis resources are not available.
While various embodiments have been described above, it should be understood that they have been presented by way of example only, and not limitation. Thus, the breadth and scope of a preferred embodiment should not be limited by any of the above-described exemplary embodiments, but should be defined only in accordance with the following claims and their equivalents.

Claims (29)

1. A scanning method, comprising:
a) receiving data at a network element;
b) identifying a load on the network element; and
c) conditionally scanning the data at the network element based on the load on the network element;
wherein an amount of scanning completed at the network element is a function of the load on the network element;
wherein the data is partially scanned at the network element if the load on the network element is greater than a predetermined amount.
2. The method as recited in claim 1, wherein the network element includes a gateway.
3. The method as recited in claim 1, wherein the load includes a backlog of data to be scanned at the network element.
4. The method as recited in claim 1, wherein the data is completely scanned at the network element if the load on the network element is less than the predetermined amount.
5. The method as recited in claim 1, and further comprising storing a status of the scanning at the network element.
6. The method as recited in claim 5, wherein an additional network element conditionally scans the data based on the status.
7. The method as recited in claim 6, wherein the additional network element includes a server.
8. A computer program product embodied on a computer readable medium for scanning, comprising:
a) computer code for receiving data at a network element;
b) computer code for identifying a current load on the network element; and
c) computer code for conditionally scanning the data at the network element based on the load on the network element;
wherein an amount of scanning completed at the network element is a function of the load on the network element;
wherein the data is partially scanned at the network element if the load on the network element is greater than a predetermined amount.
9. A scanning system, comprising:
a) means for receiving data at a network element;
b) means for identifying a current load on the network element; and
c) means for conditionally scanning the data at the network element based on the load on the network element;
wherein an amount of scanning completed at the network element is a function of the load on the network element;
wherein the data is partially scanned at the network element if the load on the network element is greater than a predetermined amount.
10. A scanning method, comprising:
a) receiving data at a network element;
b) determining whether there is a request for the data and identifying a load on the network element;
c) conditionally scanning the data at the network element based on whether there is a request for the data and the load on the network element; and
d) transmitting the data in response to the request;
wherein an amount of scanning completed at the network element is a function of whether there is a request for the data and the load on the network element;
wherein the data is partially scanned at the network element if the load on the network element is greater than a predetermined amount.
11. The method as recited in claim 10, wherein the network element includes a server.
12. The method as recited in claim 10, wherein the request for the data is received from a user device.
13. The method as recited in claim 10, wherein the data is partially scanned at the network element if it is determined that there is a request for the data.
14. The method as recited in claim 13, wherein the data is completely scanned at the network element if it is determined that there is not a request for the data.
15. The method as recited in claim 10, and further comprising storing a status of the scanning at the network element.
16. The method as recited in claim 15, wherein an additional network element conditionally scans the data based on the status.
17. A computer program product embodied on a computer readable medium for scanning, comprising:
a) computer code for receiving data at a network element;
b) computer code for determining whether there is a request for the data;
c) computer code for conditionally scanning the data at the network element based on whether there is a request for the data and a load on the network element; and
d) computer code for transmitting the data in response to the request;
wherein an amount of scanning completed at the network element is a function of whether there is a request for the data and the load on the network element;
wherein the data is partially scanned at the network element if the load on the network element is greater than a predetermined amount.
18. A scanning system, comprising:
a) means for receiving data at a network element;
b) means for determining whether there is a request for the data;
c) means for conditionally scanning the data at the network element based on whether there is a request for the data and a load on the network element; and
d) means for transmitting the data in response to the request;
wherein an amount of scanning completed at the network element is a function of whether there is a request for the data and the load on the network element;
wherein the data is partially scanned at the network element if the load on the network element is greater than a predetermined amount.
19. A scanning method, comprising:
a) receiving data at a network element;
b) determining an extent to which the data was previously scanned by another network element and identifying a load on the network element;
c) conditionally scanning the data at the network element based on the extent to which the data was previously scanned by another network element and the load on the network element;
wherein an amount of scanning completed at the network element is a function of the extent to which the data was previously scanned by another network element and the load on the network element;
wherein the data is partially scanned at the network element if the load on the network element is greater than a predetermined amount.
20. The method as recited in claim 19, wherein the network element includes a user device.
21. The method as recited in claim 19, wherein an amount of scanning completed at the network element is a function of the extent to which the data was previously scanned by another network element.
22. The method as recited in claim 21, wherein an amount of scanning completed at the network element is sufficient to complete an entirety of the scanning.
23. The method as recited in claim 21, wherein the extent to which the data was previously scanned by another network element is identified in a log accessible by the network element.
24. The method as recited in claim 19, and further comprising storing a status of the scanning at the network element.
25. The method as recited in claim 24, wherein an additional network element conditionally scans the data based on the status.
26. A computer program product embodied on a computer readable medium for scanning, comprising:
a) computer code for receiving data at a network element;
b) computer code for determining an extent to which the data was previously scanned by another network element;
c) computer code for conditionally scanning the data at the network element based on the extent to which the data was previously scanned by another network element and a load on the network element;
wherein an amount of scanning completed at the network element is a function of the extent to which the data was previously scanned by another network element and the load on the network element;
wherein the data is partially scanned at the network element if the load on the network element is greater than a predetermined amount.
27. A scanning system, comprising:
a) means for receiving data at a network element;
b) means for determining an extent to which the data was previously scanned by another network element;
c) means for conditionally scanning the data at the network element based on the extent to which the data was previously scanned by another network element and a load on the network element;
wherein an amount of scanning completed at the network element is a function of the extent to which the data was previously scanned by another network element and the load on the network element;
wherein the data is partially scanned at the network element if the load on the network element is greater than a predetermined amount.
28. A method for efficient scanning, comprising:
a) receiving data from a network at a gateway coupled between a network and at least one data server;
b) identifying a backlog of data to be scanned in the gateway;
c) if the backlog is greater than a predetermined amount, performing a partial scan utilizing a gateway scanner at the gateway;
d) if the backlog is less than the predetermined amount, performing a complete scan utilizing the gateway scanner at the gateway;
e) storing a first status of the scanning performed utilizing the gateway scanner in a database coupled to the gateway scanner;
f) passing the data from the gateway scanner to the data server coupled thereto;
g) reading the first status from the database utilizing a data server scanner at the data server;
h) determining whether there is a request for the data from at least one user device coupled to the data server;
i) if it is determined that there is a request for the data from the user device, performing a partial scan on the data;
j) storing a second status of the scanning performed utilizing the data server scanner in the database which is coupled thereto;
k) transmitting the data to the user device;
l) reading the second status from the database utilizing a user device scanner at the user device;
m) determining whether the scanning of the data is complete based on the first status and the second status; and
n) if it is determined that the scanning of the data is not complete, completing the scanning of the data utilizing the user device scanner at the user device.
29. The method as recited in claim 28, and farther comprising storing a third status of the scanning performed utilizing the user device scanner in the database which is coupled thereto.
US09/895,499 2001-06-29 2001-06-29 Intelligent network scanning system and method Expired - Lifetime US6981280B2 (en)

Priority Applications (4)

Application Number Priority Date Filing Date Title
US09/895,499 US6981280B2 (en) 2001-06-29 2001-06-29 Intelligent network scanning system and method
EP02749553A EP1402370A1 (en) 2001-06-29 2002-06-05 Intelligent network scanning system and method
PCT/US2002/017760 WO2003003214A1 (en) 2001-06-29 2002-06-05 Intelligent network scanning system and method
US11/232,812 US7152241B2 (en) 2001-06-29 2005-09-21 Intelligent network scanning system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US09/895,499 US6981280B2 (en) 2001-06-29 2001-06-29 Intelligent network scanning system and method

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US11/232,812 Continuation US7152241B2 (en) 2001-06-29 2005-09-21 Intelligent network scanning system and method

Publications (2)

Publication Number Publication Date
US20030009690A1 US20030009690A1 (en) 2003-01-09
US6981280B2 true US6981280B2 (en) 2005-12-27

Family

ID=25404591

Family Applications (2)

Application Number Title Priority Date Filing Date
US09/895,499 Expired - Lifetime US6981280B2 (en) 2001-06-29 2001-06-29 Intelligent network scanning system and method
US11/232,812 Expired - Fee Related US7152241B2 (en) 2001-06-29 2005-09-21 Intelligent network scanning system and method

Family Applications After (1)

Application Number Title Priority Date Filing Date
US11/232,812 Expired - Fee Related US7152241B2 (en) 2001-06-29 2005-09-21 Intelligent network scanning system and method

Country Status (3)

Country Link
US (2) US6981280B2 (en)
EP (1) EP1402370A1 (en)
WO (1) WO2003003214A1 (en)

Cited By (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030061514A1 (en) * 2001-09-27 2003-03-27 International Business Machines Corporation Limiting the output of alerts generated by an intrusion detection sensor during a denial of service attack
US20060021039A1 (en) * 2001-06-29 2006-01-26 Grupe Robert R Intelligent network scanning system and method
US20070053382A1 (en) * 2005-09-06 2007-03-08 Bevan Stephen J Method, apparatus, signals, and medium for managing a transfer of data in a data network
US20080295176A1 (en) * 2007-05-24 2008-11-27 Microsoft Corporation Anti-virus Scanning of Partially Available Content
US20090077665A1 (en) * 2005-03-22 2009-03-19 Matsushita Electric Industrial Co., Ltd. Method and applications for detecting computer viruses
US7607171B1 (en) 2002-01-17 2009-10-20 Avinti, Inc. Virus detection by executing e-mail code in a virtual machine
WO2010067070A1 (en) 2008-12-11 2010-06-17 Scansafe Limited Malware detection
US8082584B1 (en) * 2007-10-16 2011-12-20 Mcafee, Inc. System, method, and computer program product for conditionally performing a scan on data based on an associated data structure
US8307440B1 (en) * 2007-08-03 2012-11-06 Hewlett-Packard Development Company, L.P. Non-blocking shared state in an intrusion-prevention system
US8321936B1 (en) 2007-05-30 2012-11-27 M86 Security, Inc. System and method for malicious software detection in multiple protocols
US8667590B1 (en) * 2004-08-20 2014-03-04 Trend Micro Incorporated Method and apparatus for protecting high availability devices from computer viruses and other malicious content
US8984644B2 (en) 2003-07-01 2015-03-17 Securityprofiling, Llc Anti-vulnerability system, method, and computer program product
US9100431B2 (en) 2003-07-01 2015-08-04 Securityprofiling, Llc Computer program product and apparatus for multi-path remediation
US9118709B2 (en) 2003-07-01 2015-08-25 Securityprofiling, Llc Anti-vulnerability system, method, and computer program product
US9118708B2 (en) 2003-07-01 2015-08-25 Securityprofiling, Llc Multi-path remediation
US9117069B2 (en) 2003-07-01 2015-08-25 Securityprofiling, Llc Real-time vulnerability monitoring
US9118710B2 (en) 2003-07-01 2015-08-25 Securityprofiling, Llc System, method, and computer program product for reporting an occurrence in different manners
US9118711B2 (en) 2003-07-01 2015-08-25 Securityprofiling, Llc Anti-vulnerability system, method, and computer program product
US9350752B2 (en) 2003-07-01 2016-05-24 Securityprofiling, Llc Anti-vulnerability system, method, and computer program product
US9652613B1 (en) 2002-01-17 2017-05-16 Trustwave Holdings, Inc. Virus detection by executing electronic message code in a virtual machine
US10057284B2 (en) * 2015-03-19 2018-08-21 Fortinet, Inc. Security threat detection

Families Citing this family (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8407798B1 (en) 2002-10-01 2013-03-26 Skybox Secutiry Inc. Method for simulation aided security event management
US8856921B1 (en) * 2002-10-07 2014-10-07 Symantec Corporation Threat emergence date scan optimization to avoid unnecessary loading of scan engines
US7620974B2 (en) * 2005-01-12 2009-11-17 Symantec Distributed traffic scanning through data stream security tagging
US20070065021A1 (en) * 2005-07-14 2007-03-22 David Delgrosso System for encoding signatures for compressed storage using a signature encoding algorithm
US7707635B1 (en) * 2005-10-06 2010-04-27 Trend Micro Incorporated Script-based pattern for detecting computer viruses
US8104077B1 (en) * 2006-01-03 2012-01-24 Symantec Corporation System and method for adaptive end-point compliance
ATE401725T1 (en) * 2006-03-01 2008-08-15 Research In Motion Ltd MULTI-LEVEL ANTI-SPAM SYSTEM AND LOAD BALANCED PROCESS
US8131805B2 (en) 2006-03-01 2012-03-06 Research In Motion Limited Multilevel anti-spam system and method with load balancing
US8631494B2 (en) * 2006-07-06 2014-01-14 Imation Corp. Method and device for scanning data for signatures prior to storage in a storage device
JP4943278B2 (en) 2007-09-06 2012-05-30 株式会社日立製作所 Virus scanning method and computer system using the method
US20100011432A1 (en) * 2008-07-08 2010-01-14 Microsoft Corporation Automatically distributed network protection
CN102905269B (en) * 2011-07-26 2017-06-13 西门子公司 The detection method and device of a kind of mobile phone viruses
US10943031B2 (en) * 2017-12-22 2021-03-09 Citrix Systems, Inc. Adaptive data sanitation system for endpoints
JP2019192956A (en) * 2018-04-18 2019-10-31 コニカミノルタ株式会社 Information processing device, image formation device, image formation system, and virus check method

Citations (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1993022723A1 (en) 1992-04-28 1993-11-11 Multi-Inform A/S Network adaptor connected to a computer for virus signature recognition in all files on a network
US5319776A (en) 1990-04-19 1994-06-07 Hilgraeve Corporation In transit detection of computer virus with safeguard
US5491791A (en) 1995-01-13 1996-02-13 International Business Machines Corporation System and method for remote workstation monitoring within a distributed computing environment
US5623600A (en) 1995-09-26 1997-04-22 Trend Micro, Incorporated Virus detection and removal apparatus for computer networks
US5832208A (en) 1996-09-05 1998-11-03 Cheyenne Software International Sales Corp. Anti-virus agent for use with databases and mail servers
US5889943A (en) 1995-09-26 1999-03-30 Trend Micro Incorporated Apparatus and method for electronic mail virus detection and elimination
US6014558A (en) 1998-12-28 2000-01-11 Northern Telecom Limited Variable rate optional security measures method and apparatus for wireless communications network
US6088803A (en) 1997-12-30 2000-07-11 Intel Corporation System for virus-checking network data during download to a client device
US6092194A (en) 1996-11-08 2000-07-18 Finjan Software, Ltd. System and method for protecting a computer and a network from hostile downloadables
US20010005889A1 (en) * 1999-12-24 2001-06-28 F-Secure Oyj Remote computer virus scanning
US6381641B1 (en) 1997-11-26 2002-04-30 Nec Corporation Network traffic management system
US6397335B1 (en) 1998-02-12 2002-05-28 Ameritech Corporation Computer virus screening methods and systems
US6802012B1 (en) * 2000-10-03 2004-10-05 Networks Associates Technology, Inc. Scanning computer files for unwanted properties

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6092491A (en) * 1999-09-16 2000-07-25 Masters; William Boiler wash
US6981280B2 (en) * 2001-06-29 2005-12-27 Mcafee, Inc. Intelligent network scanning system and method

Patent Citations (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5319776A (en) 1990-04-19 1994-06-07 Hilgraeve Corporation In transit detection of computer virus with safeguard
WO1993022723A1 (en) 1992-04-28 1993-11-11 Multi-Inform A/S Network adaptor connected to a computer for virus signature recognition in all files on a network
US5491791A (en) 1995-01-13 1996-02-13 International Business Machines Corporation System and method for remote workstation monitoring within a distributed computing environment
US5623600A (en) 1995-09-26 1997-04-22 Trend Micro, Incorporated Virus detection and removal apparatus for computer networks
US5889943A (en) 1995-09-26 1999-03-30 Trend Micro Incorporated Apparatus and method for electronic mail virus detection and elimination
US5832208A (en) 1996-09-05 1998-11-03 Cheyenne Software International Sales Corp. Anti-virus agent for use with databases and mail servers
US6092194A (en) 1996-11-08 2000-07-18 Finjan Software, Ltd. System and method for protecting a computer and a network from hostile downloadables
US6381641B1 (en) 1997-11-26 2002-04-30 Nec Corporation Network traffic management system
US6088803A (en) 1997-12-30 2000-07-11 Intel Corporation System for virus-checking network data during download to a client device
US6397335B1 (en) 1998-02-12 2002-05-28 Ameritech Corporation Computer virus screening methods and systems
US6014558A (en) 1998-12-28 2000-01-11 Northern Telecom Limited Variable rate optional security measures method and apparatus for wireless communications network
US20010005889A1 (en) * 1999-12-24 2001-06-28 F-Secure Oyj Remote computer virus scanning
US6802012B1 (en) * 2000-10-03 2004-10-05 Networks Associates Technology, Inc. Scanning computer files for unwanted properties

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
PR Newswire, "F-Secure's Anti-Virus for Firewalls and Anti-Virus for Internet Mail Is Supported by Stonebeat(R) Securitycluster(TM) from Stonesoft," Jan. 16, 2001, PR Newswire Assoc., Inc., p. 00494847. *
Stonesoft Corporation, "StoneBeat SecurityCluster(TM) Manual," 2001, Version 2.0. *
Stonesoft, "StoneBeat SecurityCluster White Paper," Aug. 2000. *

Cited By (43)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060021039A1 (en) * 2001-06-29 2006-01-26 Grupe Robert R Intelligent network scanning system and method
US7152241B2 (en) * 2001-06-29 2006-12-19 Mcafee, Inc. Intelligent network scanning system and method
US20030061514A1 (en) * 2001-09-27 2003-03-27 International Business Machines Corporation Limiting the output of alerts generated by an intrusion detection sensor during a denial of service attack
US7308714B2 (en) * 2001-09-27 2007-12-11 International Business Machines Corporation Limiting the output of alerts generated by an intrusion detection sensor during a denial of service attack
US7730537B2 (en) 2001-09-27 2010-06-01 International Business Machines Corporation Method of operating an intrusion detection system
US7607171B1 (en) 2002-01-17 2009-10-20 Avinti, Inc. Virus detection by executing e-mail code in a virtual machine
US9652613B1 (en) 2002-01-17 2017-05-16 Trustwave Holdings, Inc. Virus detection by executing electronic message code in a virtual machine
US10121005B2 (en) 2002-01-17 2018-11-06 Trustwave Holdings, Inc Virus detection by executing electronic message code in a virtual machine
US8984644B2 (en) 2003-07-01 2015-03-17 Securityprofiling, Llc Anti-vulnerability system, method, and computer program product
US9117069B2 (en) 2003-07-01 2015-08-25 Securityprofiling, Llc Real-time vulnerability monitoring
US10154055B2 (en) 2003-07-01 2018-12-11 Securityprofiling, Llc Real-time vulnerability monitoring
US9118711B2 (en) 2003-07-01 2015-08-25 Securityprofiling, Llc Anti-vulnerability system, method, and computer program product
US9118710B2 (en) 2003-07-01 2015-08-25 Securityprofiling, Llc System, method, and computer program product for reporting an occurrence in different manners
US10104110B2 (en) 2003-07-01 2018-10-16 Securityprofiling, Llc Anti-vulnerability system, method, and computer program product
US10050988B2 (en) 2003-07-01 2018-08-14 Securityprofiling, Llc Computer program product and apparatus for multi-path remediation
US9350752B2 (en) 2003-07-01 2016-05-24 Securityprofiling, Llc Anti-vulnerability system, method, and computer program product
US9118708B2 (en) 2003-07-01 2015-08-25 Securityprofiling, Llc Multi-path remediation
US10021124B2 (en) 2003-07-01 2018-07-10 Securityprofiling, Llc Computer program product and apparatus for multi-path remediation
US9118709B2 (en) 2003-07-01 2015-08-25 Securityprofiling, Llc Anti-vulnerability system, method, and computer program product
US9100431B2 (en) 2003-07-01 2015-08-04 Securityprofiling, Llc Computer program product and apparatus for multi-path remediation
US9225686B2 (en) 2003-07-01 2015-12-29 Securityprofiling, Llc Anti-vulnerability system, method, and computer program product
US8667590B1 (en) * 2004-08-20 2014-03-04 Trend Micro Incorporated Method and apparatus for protecting high availability devices from computer viruses and other malicious content
US20090077665A1 (en) * 2005-03-22 2009-03-19 Matsushita Electric Industrial Co., Ltd. Method and applications for detecting computer viruses
US9118719B2 (en) 2005-09-06 2015-08-25 Fortinet, Inc. Method, apparatus, signals, and medium for managing transfer of data in a data network
US8856884B2 (en) 2005-09-06 2014-10-07 Fortinet, Inc. Method, apparatus, signals, and medium for managing transfer of data in a data network
US20070053382A1 (en) * 2005-09-06 2007-03-08 Bevan Stephen J Method, apparatus, signals, and medium for managing a transfer of data in a data network
US9729655B2 (en) 2005-09-06 2017-08-08 Fortinet, Inc. Managing transfer of data in a data network
US8166547B2 (en) * 2005-09-06 2012-04-24 Fortinet, Inc. Method, apparatus, signals, and medium for managing a transfer of data in a data network
US20080295176A1 (en) * 2007-05-24 2008-11-27 Microsoft Corporation Anti-virus Scanning of Partially Available Content
US8255999B2 (en) 2007-05-24 2012-08-28 Microsoft Corporation Anti-virus scanning of partially available content
JP2010528370A (en) * 2007-05-24 2010-08-19 マイクロソフト コーポレーション Antivirus scanning of partially available content
WO2008147737A3 (en) * 2007-05-24 2009-01-22 Microsoft Corp Anti-virus scanning of partially available content
US8402529B1 (en) 2007-05-30 2013-03-19 M86 Security, Inc. Preventing propagation of malicious software during execution in a virtual machine
US8321936B1 (en) 2007-05-30 2012-11-27 M86 Security, Inc. System and method for malicious software detection in multiple protocols
US8307440B1 (en) * 2007-08-03 2012-11-06 Hewlett-Packard Development Company, L.P. Non-blocking shared state in an intrusion-prevention system
US9092624B2 (en) 2007-10-16 2015-07-28 Mcafee, Inc. System, method, and computer program product for conditionally performing a scan on data based on an associated data structure
US8307438B2 (en) * 2007-10-16 2012-11-06 Mcafee, Inc. System, method, and computer program product for conditionally performing a scan on data based on an associated data structure
US20120069400A1 (en) * 2007-10-16 2012-03-22 Mcafee, Inc. System, Method, and Computer Program Product for Conditionally Performing a Scan on Data Based on an Associated Data Structure
US8082584B1 (en) * 2007-10-16 2011-12-20 Mcafee, Inc. System, method, and computer program product for conditionally performing a scan on data based on an associated data structure
US8689331B2 (en) 2008-12-11 2014-04-01 Scansafe Limited Malware detection
US20100162400A1 (en) * 2008-12-11 2010-06-24 Scansafe Limited Malware detection
WO2010067070A1 (en) 2008-12-11 2010-06-17 Scansafe Limited Malware detection
US10057284B2 (en) * 2015-03-19 2018-08-21 Fortinet, Inc. Security threat detection

Also Published As

Publication number Publication date
US20060021039A1 (en) 2006-01-26
EP1402370A1 (en) 2004-03-31
US20030009690A1 (en) 2003-01-09
WO2003003214A1 (en) 2003-01-09
US7152241B2 (en) 2006-12-19

Similar Documents

Publication Publication Date Title
US7152241B2 (en) Intelligent network scanning system and method
US6944775B2 (en) Scanner API for executing multiple scanning engines
US6963978B1 (en) Distributed system and method for conducting a comprehensive search for malicious code in software
US7007302B1 (en) Efficient management and blocking of malicious code and hacking attempts in a network environment
JP4688420B2 (en) System and method for enhancing electronic security
CA2545916C (en) Apparatus method and medium for detecting payload anomaly using n-gram distribution of normal data
US7424746B1 (en) Intrusion detection and vulnerability assessment system, method and computer program product
US8266703B1 (en) System, method and computer program product for improving computer network intrusion detection by risk prioritization
US9467470B2 (en) System and method for local protection against malicious software
US7003561B1 (en) System, method and computer program product for improved efficiency in network assessment utilizing a port status pre-qualification procedure
US8375120B2 (en) Domain name system security network
US7549168B1 (en) Network-based risk-assessment tool for remotely detecting local computer vulnerabilities
AU2008207926B2 (en) Correlation and analysis of entity attributes
US7036147B1 (en) System, method and computer program product for eliminating disk read time during virus scanning
AU2008207930B2 (en) Multi-dimensional reputation scoring
US20220210173A1 (en) Contextual zero trust network access (ztna) based on dynamic security posture insights
EP2180660B1 (en) Method and system for statistical analysis of botnets
US7373659B1 (en) System, method and computer program product for applying prioritized security policies with predetermined limitations
AU2008207924B2 (en) Web reputation scoring
US8195750B1 (en) Method and system for tracking botnets
US20030065793A1 (en) Anti-virus policy enforcement system and method
US20100306846A1 (en) Reputation based load balancing
US7124181B1 (en) System, method and computer program product for improved efficiency in network assessment utilizing variable timeout values
US7269649B1 (en) Protocol layer-level system and method for detecting virus activity
US8082583B1 (en) Delegation of content filtering services between a gateway and trusted clients in a computer network

Legal Events

Date Code Title Description
AS Assignment

Owner name: NETWORKS ASSOCIATES TECHNOLOGY, INC., CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:GRUPE, ROBERT R.;REEL/FRAME:011956/0363

Effective date: 20010628

AS Assignment

Owner name: MCAFEE, INC.,CALIFORNIA

Free format text: MERGER;ASSIGNOR:NETWORKS ASSOCIATES TECHNOLOGY, INC.;REEL/FRAME:016646/0513

Effective date: 20041119

Owner name: MCAFEE, INC., CALIFORNIA

Free format text: MERGER;ASSIGNOR:NETWORKS ASSOCIATES TECHNOLOGY, INC.;REEL/FRAME:016646/0513

Effective date: 20041119

STCF Information on status: patent grant

Free format text: PATENTED CASE

FPAY Fee payment

Year of fee payment: 4

FEPP Fee payment procedure

Free format text: PAYER NUMBER DE-ASSIGNED (ORIGINAL EVENT CODE: RMPN); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Free format text: PAYOR NUMBER ASSIGNED (ORIGINAL EVENT CODE: ASPN); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

FPAY Fee payment

Year of fee payment: 8

FPAY Fee payment

Year of fee payment: 12

AS Assignment

Owner name: MCAFEE, LLC, CALIFORNIA

Free format text: CHANGE OF NAME AND ENTITY CONVERSION;ASSIGNOR:MCAFEE, INC.;REEL/FRAME:043665/0918

Effective date: 20161220

AS Assignment

Owner name: MORGAN STANLEY SENIOR FUNDING, INC., MARYLAND

Free format text: SECURITY INTEREST;ASSIGNOR:MCAFEE, LLC;REEL/FRAME:045056/0676

Effective date: 20170929

Owner name: JPMORGAN CHASE BANK, N.A., NEW YORK

Free format text: SECURITY INTEREST;ASSIGNOR:MCAFEE, LLC;REEL/FRAME:045055/0786

Effective date: 20170929

AS Assignment

Owner name: MORGAN STANLEY SENIOR FUNDING, INC., MARYLAND

Free format text: CORRECTIVE ASSIGNMENT TO CORRECT THE REMOVE PATENT 6336186 PREVIOUSLY RECORDED ON REEL 045056 FRAME 0676. ASSIGNOR(S) HEREBY CONFIRMS THE SECURITY INTEREST;ASSIGNOR:MCAFEE, LLC;REEL/FRAME:054206/0593

Effective date: 20170929

Owner name: JPMORGAN CHASE BANK, N.A., NEW YORK

Free format text: CORRECTIVE ASSIGNMENT TO CORRECT THE REMOVE PATENT 6336186 PREVIOUSLY RECORDED ON REEL 045055 FRAME 786. ASSIGNOR(S) HEREBY CONFIRMS THE SECURITY INTEREST;ASSIGNOR:MCAFEE, LLC;REEL/FRAME:055854/0047

Effective date: 20170929

AS Assignment

Owner name: MCAFEE, LLC, CALIFORNIA

Free format text: RELEASE OF INTELLECTUAL PROPERTY COLLATERAL - REEL/FRAME 045055/0786;ASSIGNOR:JPMORGAN CHASE BANK, N.A., AS COLLATERAL AGENT;REEL/FRAME:054238/0001

Effective date: 20201026

AS Assignment

Owner name: MCAFEE, LLC, CALIFORNIA

Free format text: RELEASE OF INTELLECTUAL PROPERTY COLLATERAL - REEL/FRAME 045056/0676;ASSIGNOR:MORGAN STANLEY SENIOR FUNDING, INC., AS COLLATERAL AGENT;REEL/FRAME:059354/0213

Effective date: 20220301

AS Assignment

Owner name: JPMORGAN CHASE BANK, N.A., AS ADMINISTRATIVE AGENT AND COLLATERAL AGENT, NEW YORK

Free format text: SECURITY INTEREST;ASSIGNOR:MCAFEE, LLC;REEL/FRAME:059354/0335

Effective date: 20220301

AS Assignment

Owner name: JPMORGAN CHASE BANK, N.A., AS ADMINISTRATIVE AGENT, NEW YORK

Free format text: CORRECTIVE ASSIGNMENT TO CORRECT THE THE PATENT TITLES AND REMOVE DUPLICATES IN THE SCHEDULE PREVIOUSLY RECORDED AT REEL: 059354 FRAME: 0335. ASSIGNOR(S) HEREBY CONFIRMS THE ASSIGNMENT;ASSIGNOR:MCAFEE, LLC;REEL/FRAME:060792/0307

Effective date: 20220301